Issue Date
01 2010-06-30
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Contents
Contents
1 Introduction to This Document .............................................................................................1-1
1.1 Scope ............................................................................................................................................ 1-1 1.2 Intended Audience ........................................................................................................................ 1-1 1.3 Change History.............................................................................................................................. 1-1
4 Engineering Guidelines...........................................................................................................4-1 5 Parameters .................................................................................................................................5-1 6 Counters ......................................................................................................................................6-1 7 Glossary ......................................................................................................................................7-1 8 Reference Documents .............................................................................................................8-1
Issue 01 (2010-06-30)
Personnel working on Huawei GSM products or systems System operators who need a general understanding of this feature
Feature change Feature change refers to the change in the ciphering feature of a specific product version. Editorial change Editorial change refers to the change in wording or the addition of the information that was not described in the earlier version.
Document Issues
The document issues are as follows:
01 (2010-06-30)
This is the first release of GBSS12.0. Compared with issue draft (2010-03-30) of GBSS12.0, issue 01 (2010-06-30) of GBSS12.0 incorporates the changes described in the following table. Change Type Change Description Feature change Editorial change None. Parameter Change None.
Parameters are presented in the None. form of Parameter ID instead of Parameter Name.
Issue 01 (2010-06-30)
1-1
Draft (2010-03-30)
This is the draft release of GBSS12.0.
Issue 01 (2010-06-30)
1-2
2 Overview
2 Overview
The information ciphered on the Um interface involves signaling, speech, and data. The implementation of ciphering guarantees the information security and prevents user information or conversation contents from unauthorized access. The ciphering procedure is initiated on the network side. The BTS and MS cipher and decipher the information by using the A5 algorithm and the ciphering key (Kc) generated by the A8 algorithm on the basis of the capability of the MS and BTS. Thus, the security of the information on the Um interface is ensured. The Kc is generated by the GSM authentication center (AuC) and stored in the MSC/VLR. The Kc is sent to the BTS before the ciphering procedure begins. The MS and the network adopt the A8 algorithm to generate the Kc by using the same Ki and random number (RAND). A ciphering or deciphering sequence is generated through the A5 algorithm on the basis of the Kc stored in the MS and the network and the frame number from the current pulse stream. The network uses the same ciphering sequence in the uplink and downlink. For each burst, the data is ciphered or deciphered as follows:
One sequence is used for the MS ciphering and BTS deciphering. The other sequence is used for the BTS ciphering and MS deciphering.
A5/0 Ciphering Algorithm A5/1 Ciphering Algorithm A5/2 Ciphering Algorithm A5/3 Ciphering Algorithm A5/4 Ciphering Algorithm A5/5 Ciphering Algorithm A5/6 Ciphering Algorithm A5/7 Ciphering Algorithm
A network operator can use the A5 ciphering algorithm only after applying for and being granted with authorization of the 3GPP Organizational Partners. The network operator should use A5/1 or A5/3 ciphering algorithm because the A5/2 ciphering algorithm is deciphered currently. The A5/3 ciphering algorithm is preferred in terms of security. The ciphering algorithms are selected on the basis of the capabilities of the network and MS. The ciphering algorithms to be adopted should be those allowed in the ciphering command delivered by the MSC, allowed in the BSC data configuration, and supported by the MS. The BSC selects the appropriate ciphering algorithms based on the priorities of the algorithms. If the BSS does not support the ciphering algorithms allowed in the ciphering command delivered by the MSC, the ciphering is rejected. The A5 ciphering algorithm provides weak protection for data security. Therefore, the ciphering procedure is optimized on the basis of the characteristics of the Um interface transmission in GSM, thus enhancing transmission security and network bugging defense.
Issue 01 (2010-06-30)
2-1
3 Technical Description
3 Technical Description
3.1 Kc and Its Generation
This describes the application and generation of the ciphering key (Kc). The MS and the network use the same Kc for ciphering and deciphering user data. An MS is allocated an International Mobile Station Identity (IMSI) and Ki after it is registered in the GSM network. The MS and the network use the same Ki and RAND. The RAND is generated by the network and sent to the MS. Both the network and the MS use the A8 algorithm to generate the ciphering key Kc. Figure 3-1 shows the generation of the Kc. Figure 3-1 Generation of Kc
The network side MS AUC Random number
Ki
Ki
A8 algorithm
A8 algorithm
Issue 01 (2010-06-30)
3-1
3 Technical Description
Modulo 2 minus 1
Modulo 2 plus 1
In the call access procedure, the MS sends an Establish Indication message to the BSC.
the parameter ECSC in the system information is set to No, the MS reports Classmark 1 or Classmark 2, indicating whether the MS supports A5/1, A5/2, and A5/3 ciphering algorithms. the parameter ECSC in the system information is set to Yes, the MS reports Classmark 1, Classmark 2, and Classmark 3, indicating whether the MS supports A5/1, A5/2, A5/3, A5/4, A5/5, A5/6, and A5/7 ciphering algorithms. 2. On receiving the Ciphering Mode Command message from the MSC, the BSC checks the classmarks reported by the MS. If the BSC does not receive Classmark 3, the BSC sends a Classmark Enquiry message to the MS, asking the MS to report Classmark 3. Classmark 3 defines whether an MS supports A5/4, A5/5, A5/6, and A5/7 ciphering algorithms.
The ciphering algorithms to be adopted should be those allowed in the ciphering command delivered by the MSC, allowed in the BSC data configuration, and supported by the MS. The BSC selects the appropriate ciphering algorithms based on the priorities of the algorithms, and then sends an Encryption Mode Command message to the BTS.
The priorities of the ciphering algorithms are decreased from A5/7 to A5/0.
Issue 01 (2010-06-30)
3-2
3 Technical Description
If the BSS does not support the ciphering algorithms specified in the Ciphering Mode Command message, it sends the MSC a Ciphering Mode Reject message with the cause value Ciphering Algorithms Not Supported. If the MSC requests to change the ciphering algorithms while the BSS has enabled the former ciphering algorithms, the BSS sends a Ciphering Mode Reject message to the MSC.
On receiving a valid Ciphering Mode Command message, the MS loads the Kc stored in the SIM card. If the MS receives an invalid Ciphering Mode Command message, the message is considered erroneous. In this case, the MS sends an RR Status message with the cause value Protocol Error and does no further processing. A valid Ciphering Mode Command message is defined to be one of the following:
One One
that indicates "start ciphering" and is received by the MS in "not ciphered" mode. that indicates "no ciphering" and is received by the MS in "not ciphered" mode.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-3
Issue 01 (2010-06-30)
3 Technical Description
After the MS receives the Ciphering Mode Command message and finishes the ciphering, it begins to send and receive messages in ciphered mode.
If If
the MS has started certain operations specified in the Ciphering Mode Command message, it sends a Ciphering Mode Complete message to the network. the "cipher response" field in the Ciphering Mode Command message is specified "IMEISV request", the MS shall include its IMEI in the Ciphering Mode Complete message. On receiving the Ciphering Mode Complete message from the MS, the network starts information transmission in ciphered mode.
3.
Fast SDCCH handover is adopted in the MS access process, which increases the difficulty for the intruder to trace the user call. Fast SDCCH handover indicates that the BTS initiates an intra-cell SDCCH handover immediately after sending the ciphering command to the MS. Thus, the subsequent ciphered signaling can be transmitted and received on a new signaling channel. SDFASTHOSWITCH specifies whether this function is enabled. To avoid incompatibility with the MS, the handover command is sent after the ciphering complete message is received.
The TCH timing handover is introduced to increase the difficulty for the intruder to trace a user. For speech calls, intra-cell handovers are performed at a specified time. TCHTIMEHOSWITCH specifies whether the TCH timing handover is enabled. If TCHTIMEHOSWITCH is set to Yes, the handover timer is started and the length of the timer is TCHTIMEHOPERIOD. When TCHTIMEHOPERIOD expires, an intra-cell forced handover is performed.
The Hopping Sequence Number (HSN) in the Flex Training Sequence Code (TSC) and Flex Mobile Allocation Index Offset (MAIO) differentiates one TCH from another. Therefore, the characteristics of TCHs are different and an intruder cannot trace other TCHs according to the characteristics of a certain TCH. Whether to enable the Flex TSC function depends on the setting of FLEXTSCSWITCH. If FLEXTSCSWITCH is set to Yes, the channels join in frequency hopping and each channel is randomly assigned a TSC, ranging from 0 to 7.
After the BTS sends the ciphering command, it stops sending System Information 5, 5bis, and 5ter over the SACCH on the SDCCH. STOPSI5SWITCH specifies whether to stop the sending of system information. If STOPSI5SWITCH is set to Yes, the BTS stops sending System Information 5, 5bis, and 5ter over the SACCH on the SDCCH after sending the ciphering command. Instead, the BTS sends System Information 6 or L2 fill frames.
Issue 01 (2010-06-30)
3-4
3 Technical Description
DUMMYBITRANDSWITCH specifies whether to randomize the dummy bits. If DUMMYBITRANDSWITCH is set to Yes, the BTS randomizes all the 0x2b dummy bits in the signaling and all the dummy bits in L2 fill frames. To avoid incompatibility with the MS, the BTS reserves the initial 0x2b dummy bits when randomizing signaling.
Issue 01 (2010-06-30)
3-5
4 Engineering Guidelines
4 Engineering Guidelines
This describes the ciphering algorithms supported currently. Currently, Huawei equipment supports the following ciphering algorithms: A5/1, A5/2, and A5/3. The ciphering algorithms A5/1, A5/2, and A5/3 coexist in the same system and can be flexibly defined through data configuration to meet specific regional requirements. The 3GPP Organizational Partners allow all countries to apply for A5/1 or A5/3 because A5/2 is prone to be decrypted. The A5/3 ciphering algorithm is preferred over other ciphering algorithms in terms of security.
Issue 01 (2010-06-30)
4-1
5 Parameters
5 Parameters
Table 5-1 Parameters Description Parameter ID ECSC NE BSC6900 MML Description
SET Meaning: The early classmark GCELLCCBASIC(Optional) sending control (ECSC) parameter specifies whether the MSs in a cell use early classmark sending. After a successful immediate assignment, the MS sends additional classmark information to the network as early as possible. The additional classmark information mainly contains the CM3 (classmark 3) information. The CM3 (classmark 3) information contains the frequency band support capability of the MS (used for the future channel assignment), power information about each frequency band supported by the MS (used for the handover between different frequency bands), and encryption capability of the MS. GUI Value Range: NO(No), YES(Yes) Actual Value Range: NO, YES Unit: None Default Value: YES
Issue 01 (2010-06-30)
5-1
5 Parameters
SDFASTHOSWITC BSC6900 H
SET GCELLSOFT(Optional)
Meaning: Whether to enable the SDCCH quick handover test function. If this parameter is set to Yes, the BSC initiates intra-cell SDCCH handover as soon as the MSC issues an encrypted command to the MS. Thus, the forwarding encrypted signaling can be transmitted and received on a new signaling channel. In this way, the network security is improved. GUI Value Range: OFF(Off), ON(On) Actual Value Range: OFF, ON Unit: None Default Value: OFF
TCHTIMEHOSWIT BSC6900 CH
SET GCELLSOFT(Optional)
Meaning: This parameter specifies whether to perform periodic intra-cell handover for speech services on TCH. GUI Value Range: OFF(Off), ON(On) Actual Value Range: OFF, ON Unit: None Default Value: OFF
TCHTIMEHOPERI BSC6900 OD
SET GCELLSOFT(Optional)
Meaning: This parameter specifies the interval at which the speech service on a TCH is handed over. GUI Value Range: 1~600 Actual Value Range: 1~600 Unit: s Default Value: 60
Issue 01 (2010-06-30)
5-2
5 Parameters
FLEXTSCSWITCH BSC6900
SET GCELLSOFT(Optional)
Meaning: Whether to enable the function of the Flex training sequence code (TSC). If the value of this parameter is ON and the BTS supports the Flex TSC function, the BSS dynamically allocates TSCs to hopping frequencies for improving the security of calls. GUI Value Range: OFF(Off), ON(On) Actual Value Range: OFF, ON Unit: None Default Value: OFF
STOPSI5SWITCH BSC6900
SET GCELLSOFT(Optional)
Meaning: This parameter specifies whether the sending of system information 5, 5bis, and 5ter can be stopped on the SACCH on the SDCCH after the BTS issues a ciphering command. GUI Value Range: OFF(Off), ON(On) Actual Value Range: OFF, ON Unit: None Default Value: OFF
SET GCELLSOFT(Optional)
Meaning: Whether a BTS randomizes the dummy bits in all the signaling messages that the BTS sends to an MS. That is, dummy bits are randomized rather than filled on the basis of 0x2B. GUI Value Range: OFF(Off), ON(On) Actual Value Range: OFF, ON Unit: None Default Value: OFF
Issue 01 (2010-06-30)
5-3
6 Counters
6 Counters
For the counters, see the BSC6900 GSM Performance Counter Reference.
Issue 01 (2010-06-30)
6-1
7 Glossary
7 Glossary
For the acronyms, abbreviations, terms, and definitions, see the Glossary.
Issue 01 (2010-06-30)
7-1
8 Reference Documents
8 Reference Documents
[1] 3GPP 48.058: "Base Station Controller - Base Transceiver Station (BSC-BTS) Interface Layer 3 Specification" [2] BSC6900 Feature List [3] BSC6900 Optional Feature Description [4] GBSS Reconfiguration Guide [5] BSC6900 GSM Parameter Reference [6] BSC6900 GSM MML Command Reference [7] BSC6900 GSM Performance Counter Reference
Issue 01 (2010-06-30)
8-1